Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vendors Say Data Protection Software Too Complicated To Use

samzenpus posted more than 3 years ago | from the being-safe-is-hard dept.

Privacy 153

jfruhlinger writes "With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."

cancel ×

153 comments

Sorry! There are no comments related to the filter you selected.

Alot of Enterprise Software is "too complicated" (1)

Anonymous Coward | more than 3 years ago | (#36030214)

In other words, alot of enterprise software is poorly designed.

Well designed software is easy to use.

Re:Alot of Enterprise Software is "too complicated (2)

CohibaVancouver (864662) | more than 3 years ago | (#36030334)

Well designed software is easy to use.

Did you RTFA? This isn't Donkey Kong Jr. we're talking about here. DLP software, while extremely sophisticated, isn't that hard to use - What's difficult is the requirement for a company to create business policies that define what data is critical and what isn't. If you turn the alerts up too high, end-users and IT security are bombarded by noise and warnings, making the system useless. If you turn the alerts down too low, then you run the risk of data leakage.

Re:Alot of Enterprise Software is "too complicated (2)

ToasterMonkey (467067) | more than 3 years ago | (#36030634)

Did you RTFA? This isn't Donkey Kong Jr. we're talking about here. DLP software, while extremely sophisticated, isn't that hard to use - What's difficult is the requirement for a company to create business policies that define what data is critical and what isn't. If you turn the alerts up too high, end-users and IT security are bombarded by noise and warnings, making the system useless. If you turn the alerts down too low, then you run the risk of data leakage.

WOW, that's funny how it suddenly becomes a business problem when this software shows up! A sane person would reason, if the software invented this problem, the software should fix it!

Christ, we're supposed to be SOLVING problems with computers!
This reminds me of enterprise backup implementations and shaking down non-IT organizations for data retention policies. Like it's their job to analyze the risks of [not] having snapshots of their data from arbitrary points in time other than YESTERDAY.

These both clearly map to the real world and are not entirely an invention of IT folks right??

Re:Alot of Enterprise Software is "too complicated (1)

sortius_nod (1080919) | more than 3 years ago | (#36030714)

The problem is that you have IT managers that are trained to manage not understand IT, IT admins that are trained in only MS software, and users who aren't trained at all on how to use software effectively.

I've seen this happen a lot in business, the bigger they are, the less emphasis there is on positive IT policies or employing IT professionals who actually know what they are doing. The main emphasis in big business is to climb the corporate ladder, buy stuff from vendors you get kickbacks from, and employ people who are cheap or friends of managers.

The IT side of business is not getting any better, we're seeing data breeches, hacked sites, and takedowns happening on some of the largest corporations in the world. These kind of things would not have happened if IT managers, admins, and users were trained properly or employed for the right reasons.

Re:Alot of Enterprise Software is "too complicated (2, Funny)

Anonymous Coward | more than 3 years ago | (#36031134)

The main emphasis in big business is to climb the corporate ladder, buy stuff from vendors you get kickbacks from,

So which vendors are these? I'm apparently doing it wrong....

Re:Alot of Enterprise Software is "too complicated (2)

cavreader (1903280) | more than 3 years ago | (#36031212)

Over the past 23 years I have also seen how large corporations manage their IT departments and I have seen quite a few competent IT managers that have actual development experience in their backgrounds. I have also not seen any evidence of kickbacks from vendors being SOP as you stated. Contrary to popular belief there are some corporations that do support and manage their IT departments policy, intelligent hiring practices, and well thought out procedures. Trying to reconcile the IT data handling requirements with the business data requirements can be difficult. Just like the parent in this thread said it can be a fine line between securing data while also providing access.

Re:Alot of Enterprise Software is "too complicated (1)

AK Marc (707885) | more than 3 years ago | (#36031432)

Trying to reconcile the IT data handling requirements with the business data requirements can be difficult. Just like the parent in this thread said it can be a fine line between securing data while also providing access.

There should be little, if any, push back from IT to well defined business requirements. What I find is the "fine line" where IT recognizes bad business requirements and those in charge of defining business requirements don't (such as giving every administrative assistant in the company full permissions to every file because their bosses can't be bothered to actually do their jobs and the admin assistants back each other up so when one is out sick, any of the others in the entire company may be taking their place that day).

Yes, I've seen more than one database where the administrator of the database in IT had lower permissions than almost everyone who used it (though they could instantly elevate them, if necessary), despite working with it in a much greater capacity, and often then fixing screwups that would have been fixed if permissions were set according to reasonable business requirements.

But a business where the managers wanting a secure but usable database and are willing to define both of those terms almost always get what they want without any interference from IT, and no balancing act/reconciliation is necessary. It's only when they demand a "secure" database, but every manager and secretary in the company must have full access to the database (even what they'd never need or use) because they are management or support management, where I see there being a problem between IT and others. And it's not IT's fault, other than not being able to explain their points clearly enough to the people involved so that they understand what the issues are.

Re:Alot of Enterprise Software is "too complicated (1)

cavreader (1903280) | more than 3 years ago | (#36031756)

I have also seen things like admin accounts being used by a group of people. Especially developers. The worst is when the developer hard codes the DB sign in information in the app config file they are working on and sometimes forgetting to remove the hard coded account when the app leaves the development department.

Re:Alot of Enterprise Software is "too complicated (5, Insightful)

AK Marc (707885) | more than 3 years ago | (#36031390)

We just finished royally screwing up a database project. The database is mostly worthless because it assumes a set of non-existent processes. The business unit demanding the new database wanted better processes in place. But wouldn't define them. So the programmers had to put something in, and programmers who don't know what our business is have now defined our business processes (and poorly, of course) because the people demanding the magical database be built that fixes all their problems couldn't even be arsed to define what their problems were.

It's like having recipe software which you put recipes in, along with cooking instructions, and a robot makes the item. Then, once you have all the ingredients in, you realize you didn't have any cooking instructions. So you complain that the software doesn't have default cooking instructions programmed in that would just magically make cookies or cupcakes without you having to do all that extra work.

The problem isn't the software. It couldn't be any more user friendly. Just tell it what you want, and poof, it will pop right out. The problem is that the users can't be bothered figuring out what they want, so the software is at fault.

Re:Alot of Enterprise Software is "too complicated (1)

mt1955 (698912) | more than 3 years ago | (#36031030)

Did you RTFA?

This is slashdot, right?

Re:Alot of Enterprise Software is "too complicated (3, Insightful)

Fluffeh (1273756) | more than 3 years ago | (#36030374)

No, what it means is that a lot of responsibility that IT managers (and higher) are given, such as ensuring that confidential data is kept confidential, is either too hard for them, takes too much time or they are simply incompetent to fulful that role. I don't mean technically - it isn't just an IT managers role to tick the right boxes in a menu, I mean if THEIR managers are unwilling to spend the time, money and effort on their own, then it falls to the person to convince them of the need to do so.

Re:Alot of Enterprise Software is "too complicated (2)

donaldm (919619) | more than 3 years ago | (#36031366)

Saying software is "Too complicated" is usually a cop-out by the users and the managers that are involved in purchase and/or use of that software. Most backup software while sophisticated is fairly user friendly however many managers don't really know (or care?) what is really required to set-up a backup and recovery solution.

On of the problems with setting up a reliable IT disaster recovery solution (I will stick to backup and recovery here) is for management to decide on the requirements. The most common solutions are basic spot and full recovery which could include multi petabytes of data and what could called base metal recovery in that only the basic OS is recovered after a system disk failure. Yes many companies still don't mirror their system disks although system disk or even data disk mirroring does not prevent deliberate or accidental corruption. Both of these backup and recovery techniques may require different software and this needs to be taken into account.

Another aspect of backup and recovery is on-site, near-site and off-site storage of backup media with costs varying from a few hundred dollars to millions of dollars.

Even after careful backup and recovery design you still need to test the recovery otherwise the company may be extremely embarrassed when a failure occurs. I have actually seen backup software that was configured to back up all the database infrastructure but failed to actually backup the database so that when the hard disk containing the data failed the company lost all its database which proved to be very costly. The person concerned with implementing the backup never tested a recovery which would have immediately shown that he had failed to include the database data in his backup software. I am quite sure many people here can come up with more horror stories of this nature.

Re:Alot of Enterprise Software is "too complicated (0)

Anonymous Coward | more than 3 years ago | (#36031554)

then it falls to the person to convince them of the need to do so.

It falls to the manager to hire someone competent and then listen to what they have to say. If a manager wants to know why and what data security he needs he should take a class. If he wants to be a manager he should manager. Responsibility should flow up the chain of command not down.

Re:Alot of Enterprise Software is "too complicated (1)

grcumb (781340) | more than 3 years ago | (#36031688)

I don't mean technically - it isn't just an IT managers role to tick the right boxes in a menu, I mean if THEIR managers are unwilling to spend the time, money and effort on their own, then it falls to the person to convince them of the need to do so.

You know, there used to be these things called ethics (mostly honesty, trust and integrity) that all the good workers brought to the office every day. But that was way back in a time when companies actually invested in their staff, looked after them for the better part of their career and in return expected them to protect the company's interests.

This good conduct was policed with a degree of strictness and care by managers, who were held responsible for the materials under their control.

Now, however, we have Data Protection Software. Oh Brave New World, that has such applications in it!

Re:Alot of Enterprise Software is "too complicated (1)

jtownatpunk.net (245670) | more than 3 years ago | (#36030388)

And enterprise users are dumb. It's a bad combination.

Re:Alot of Enterprise Software is "too complicated (2)

lgw (121541) | more than 3 years ago | (#36031088)

It's not that enterprise users are dumb, it's that they care about their actual job, not some crappy software (OK, some of them are also dumb).

Re:Alot of Enterprise Software is "too complicated (3, Interesting)

donaldm (919619) | more than 3 years ago | (#36031426)

And enterprise users are dumb. It's a bad combination.

No, many users only do what they are told and in the majority of cases the blame rests firmly with the managers. In the enterprise managers like to "de-skill" users (Management 101) by placing them into restricted rolls. Some Managers hate professional people since these people are usually multi-skilled and leave if they are forced down a narrow skill path. The consequence of de-skilling is you end up with people who are poorly trained, but of course Management covers itself by stating that the users are not skilled enough and more training is needed so after that training those people who are a little smarter leave for better pay and conditions and so the circle repeats itself.

Also, (1)

MrEricSir (398214) | more than 3 years ago | (#36030478)

a lot of people think "alot" is a word.

Re:Alot of Enterprise Software is "too complicated (1)

xploraiswakco (703340) | more than 3 years ago | (#36030488)

I've said this before, ease of use and security do not go hand in hand. In short they are generally not compatible.

The hard part is finding the right balance between them.

Re:Alot of Enterprise Software is "too complicated (0)

Anonymous Coward | more than 3 years ago | (#36030554)

Vendors Say Data Protection Software Too Complicated To Use

I have no problem at all using my data protection software [ubuntu.com] of choice:)

Re:Alot of Enterprise Software is "too complicated (2)

c0lo (1497653) | more than 3 years ago | (#36030758)

In other words, alot of enterprise software is poorly designed.

Well designed software is easy to use.

I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.

Looking into the specific differences between an ERP and DLP system may offer some explanation how come configuring an ERP is budgeted/paid for by the company while a DLP isn't.

1. Without an ERP, the guys that have the final say in approving a budget cannot work (CFO is blind): the impact is immediate and obvious. Without DLP, not so.

2. Even more, a ill-configured DLP (or even a well-configured one) is restrictive for all the users - sociopathic managers included - do I need to say more?.

3. Moreover, even if both of the system are in the "support for the process" category (not inherently on the direct line that gets income to the company), the ERP is "operational cost" (need it every day) while a DLP is a "risk prevention cost" (money someone will pay for "just in case").
Risk management is more specialized, more complicated and requiring more imagination than financial management: the difference between "how and what can go wrong in various and possibly obscure points of my business? Who would benefit of something going wrong for me; who's the possible attacker?" and "How much was spend and what revenue you think you'll get in the next FQ or FY from this-and-that well-known market segments"?

One on top of the other, the CEO/CFO and the minions will need to leave their mental-warm-and-comfy-place to understand the need for a well-configured DLP and approve/pay-for a 1-2 years contract with a specialized team of contractors to set the security systems (DLP included) in place. Its akin requesting an accountant to show imagination - an almost oxymoronic concept.
That until something extremely bad happens (think Sony)...

Re:Alot of Enterprise Software is "too complicated (1)

lgw (121541) | more than 3 years ago | (#36031100)

I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.

So, they're well designed as a jobs program for consultants, but they're pretty damn craptastic at being ERP software.

Re:Alot of Enterprise Software is "too complicated (1)

donaldm (919619) | more than 3 years ago | (#36031540)

I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.

The software you mentioned only includes backup methods to backup software. By themselves any backups are crude.

Setting up a backup solution for SAP or Oracle Financials should at the most take a few days although that is assuming your backup hardware and software is inplace. Even a recovery should if you have the appropriate backup hardware take a few hours in a worst case scenario. I won't de-nigh that the set-up of an enterprise database with appropriate computers, storage, backup hardware and software can take a while (a few months) but a few years? I would love to be on that type of project I could do with an extra mansion :) With SAP we have a 2, 5, 7 proportion that being "2" for the hardware, "5" for the software and "7" for the consulting and we will tell you when you can close your cheque book ;)

One big problem I have found in the enterprise is security. With Oracle the DBA's don't like security software (example: SElinux) turned on since they need to arrange for ports to be opened and in the majority of cases this falls into the "too hard" category.

Actually with regard to Sony does anyone know what OS they were using with their database and what that database was? For crackers to get database information this would not really reflect on the OS since the blame in the majority of cases would fall on the DBA's.

Re:Alot of Enterprise Software is "too complicated (1)

c0lo (1497653) | more than 3 years ago | (#36031670)

I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.

... can take a while (a few months) but a few years? I would love to be on that type of project I could do with an extra mansion :) With SAP we have a 2, 5, 7 proportion that being "2" for the hardware, "5" for the software and "7" for the consulting and we will tell you when you can close your cheque book

As TFA says: installing and configuring a DLP is not very hard in itself, but

DLP is the "most disappointing" portion of the security market primarily because of the amount of time it takes companies to identify the data they want to protect, create profiles and taxonomies to categorize it .

I imagine that is where most of the time (and consulting paychecks) go into.

Hire me. (0)

Anonymous Coward | more than 3 years ago | (#36030232)

They should hire me to help them fix it.

Re:Hire me. (0)

Anonymous Coward | more than 3 years ago | (#36030484)

They can only find you or me if there is a data leak. You failed your first test.

Hire better people? (4, Insightful)

24-bit Voxel (672674) | more than 3 years ago | (#36030242)

Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....

Re:Hire better people? (0)

Anonymous Coward | more than 3 years ago | (#36030286)

I read this as "too time consuming for people to bother" or "it's annoying to configure stuff properly"

Why do you think Vista was such a downer? The UAC is a good security feature - it has prevented at least 1 virus from actually installing on one machine here as the user didn't allow an unknown program privilege escalation. But people don't use it because it was "annoying" in spite of the problems that XP had.

Re:Hire better people? (3, Interesting)

dwarfsoft (461760) | more than 3 years ago | (#36030300)

Absolutely. Too hard for monkeys to randomly press things and get things set up perfectly. Solution: Hire more monkeys...

They don't realise that paying a bit more for a few Good people would save them money in the long run, instead of flooding the ranks with monkeys.

Re:Hire better people? (2)

clang_jangle (975789) | more than 3 years ago | (#36030426)

They don't realise that paying a bit more for a few Good people would save them money in the long run, instead of flooding the ranks with monkeys.

Bingo. Companies are less willing to pay what a job is worth, so they end up with people who don't have the skills or experience to do the job properly. Of course, sometimes they are paying well but the company just has a crappy culture of doing things half-assed. I can think of at least one tech giant that meets that description...

Now! Now! (0)

Anonymous Coward | more than 3 years ago | (#36030898)

Don't try to say that knowing how to encrypt data with specialty tools should be a pay-raise. We've all sent encrypted messages in childhood to bypass detection by others, so what is the difference? Encryption is practically all over elementary fiction novels, so why not in the workplace?

Video Related... http://www.youtube.com/watch?v=GlKL_EpnSp8 [youtube.com]

Re:Hire better people? (3, Insightful)

24-bit Voxel (672674) | more than 3 years ago | (#36031032)

Back in the late 90s, these companies actually trained their employees and gave raises that matched performance.

It was really amazing. Nowadays companies don't train their employees, and it shows.

It's funny to read the article and not think about training budgets being a thing of the past. It's the software's fault, not managements for sucking away the training dollars.

Re:Hire better people? (1)

Super Dave Osbourne (688888) | more than 3 years ago | (#36031074)

Its really sad to read this type of article, in fact companies have now completely commoditized the human element of the business. Get the economy in such a dire strait allowing companies and the people they 'employ' to gladly accept the Orwellian aspects of today's employment options. Its a win win win. Government loves it because the average intelligence level of employment is dwindling, less intelligence where daily (yes, meant this way, a job is just a day away from being unemployment checks), employer loves it because they can get rid of dodos without much resistance making for a 'dynamic' business model and finally the employee loves it otherwise they'd be out on the street where they belong due to lack of education or ability. See, it does work well in America. The downsizing and sell off of America to the lowest bidder via the free system, unregulated and open to competition is now in full swing.

Re:Hire better people? (2)

CodeBuster (516420) | more than 3 years ago | (#36031282)

If you are so convinced that your business ideas are right and everyone else is doing it wrong, why not prove that by getting out there, founding a company and making a mint? Try your hand at being an entrepreneur or starting your own company before criticizing businesses for giving employees a raw deal. Anyone can be an employee after all, but it takes hard work, courage, skill and yes even a bit of luck to be an entrepreneur who creates new jobs and new wealth. Always remember that fortune favors the bold, not the timid.

Re:Hire better people? (0)

Anonymous Coward | more than 3 years ago | (#36031514)

Have you ever heard the expression "leave a dollar in the other mans pocket"?
Just because you can stomp your workers into a mudhole, and it's profitable, doesn't mean you must.

Re:Hire better people? (1)

CodeBuster (516420) | more than 3 years ago | (#36032038)

I compete to win and so should you. Own your failures (and learn from them), take your winnings and make no apologies; that's my motto. If you can't or won't compete, there are many hungry Indians and Chinese who would jump at the chance to take your place.

Re:Hire better people? (3, Insightful)

olsmeister (1488789) | more than 3 years ago | (#36030320)

At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

Re:Hire better people? (1)

ShakaUVM (157947) | more than 3 years ago | (#36030508)

>>At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

That was my thought on the matter. How expensive would it have been to have hired one of these data protection firm's people to work for Sony part-time? Or, hell, full time?

How much money did Sony lose from not only getting hacked, having the PSN network taken down, but also from the fact that people have found out that they didn't even go to the trivial effort of using crypt() on the passwords, and held it all in plaintext?

I had some friends over last weekend and we were going to buy a game on the PSN to play and oh wait. Sorry, Sony, no sale for you. Hope the $100k or so you saved was worth it.

Re:Hire better people? (4, Informative)

BoogeyOfTheMan (1256002) | more than 3 years ago | (#36030590)

They did not store the passwords in cleartext, from the PSN Blog:

"One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."

http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/ [playstation.com]

Re:Hire better people? (2)

ShakaUVM (157947) | more than 3 years ago | (#36030782)

Hmm, well that makes me feel vaguely better about the whole thing. Do you know if the passwords stolen were easily guessed ones, or if PSN used a weak hashing algorithm which allowed recovery of the passwords? I heard reports that people's WoW accounts were being hacked via their PSN passwords.

Re:Hire better people? (1)

Undead Waffle (1447615) | more than 3 years ago | (#36032054)

They did not store the passwords in cleartext, from the PSN Blog:

"One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."

http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/ [playstation.com]

From the link in the blog you linked:

Hash - a special form of encryption often used for passwords, that uses a one-way algorithm that when provided with a variable length unique input (message) will always provide a unique fixed length unique output called hash, or message digest.

So they're saying the passwords weren't encrypted, they were stored as hashes. And to explain the difference they link a page that defines a hash as a form of encryption...

Re:Hire better people? (1)

lgw (121541) | more than 3 years ago | (#36031116)

The particular manager who's buget would have taken the hit for doing data protection right for Sony is probably unknown to the managers who will shoulder the blame for the problems - especially as he's likely already moved on to a better position after demonstrating his ability to run a cheap shop.

Re:Hire better people? (1)

donaldm (919619) | more than 3 years ago | (#36031664)

As for the Sony crackers (lets get this right) would only get passwords in encrypted format and these would only be stolen from the database information not from the OS such as /etc/passwd and /etc/shadow or from a Linux/Unix trusted database (TCB) which would only show encrypted passwords anyway. Even if you had root privileges I would be surprised if users had their information in standard login files. Even in MS Windows you need to be the "administrator" to get the encrypted passwords and one would hope that server user names did not have admin privileges.

To allow PSN access Sony would most likely use LDAP or something equivalent which would check the users "rsh" (assumed) encrypted password with that encrypted password in the user database. It is not really that catastrophic to get a user's login password but getting their credit card and account details is since the later can be used for identity fraud which can be much more serious.

Re:Hire better people? (3, Interesting)

grcumb (781340) | more than 3 years ago | (#36031772)

At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

You're assuming that massive data theft is a disaster to the company. If experience is any guide [imagicity.com] , that's not true:

It seems that in the esoteric world of noughts and ones, belief matters far more than empirical truth, making a true Data Disaster literally inconceivable.

There can’t be a Data Disaster today, because we can’t imagine what one would look like. Likewise, there won’t be a Data Disaster until we become capable of realising that they’re all around us, happening every day.

Re:Hire better people? (3, Insightful)

pkinetics (549289) | more than 3 years ago | (#36030496)

Actually I read it as:
  • Little buy in from upper management. Without this getting people to meet and discuss and prioritize is futile.
  • No return on investment. Securing data is not glorious until after you've been compromised.
  • Risk versus reward.
  • Software setup is not overly hard. Integration with existing systems is.

Re:Hire better people? (1)

Nos. (179609) | more than 3 years ago | (#36031024)

Yup... we're in the beginning stages of trying to roll out DLP at work. Its not as simple as installing some software and configuring a few policies. There's a heck of a lot more to it than that. Where is data stored? Who is allowed to access it? How can they access it? Are they allowed to read/copy/edit/delete/etc? What data needs to be protected at what level? What needs to be encrypted? What doesn't need to be encrypted?

And that's just a start to the questions you need to ask.

This isn't something that gets setup in a matter of weeks in any reasonably sized organization. Data classification itself can take years. On top of all that, you've got to incorporate other things like PCI, HIPA (for us in Saskatchewan), PIPEDA (Canadian), and other various certifications, act, and legislation. Sorting through all that, comparing your data to each and determining what applies and what doesn't takes time.

Re:Hire better people? (1)

Charliemopps (1157495) | more than 3 years ago | (#36030622)

I think you mean: "Too complicated for the customer service reps we promoted to IT positions with absolutely no training to use"

In my experience there's usually 1 or 2 people at a company that has a clue when it comes to the network. Their time is spent almost exclusively doing things that contribute to profitable projects. Protecting the network is an expense. If you spend your time doing things that are considered expenses rather than doing things that are considered profitable, you will soon find yourself on the wrong side of the next company "re-org" spreadsheet.

Businesses will never prepare for breaches like these until they are required to by law. Incidents in which a breach really costs the company are few and far between. Everyone up and down Sony's management chain are currently busying themselves blaming the "Hackers" and consoling themselves with statements like "It was a very sophisticated attack" and "No matter how much protection you have, they'll always find away" None of which is true of course. This sort of data simple should not have been available to anyone outside Sony's corporate headquarters and the only people with access to it there should have been developers. The fact that the hackers could get to it meant that any low level employee in the company could have walked off with it. In fact, it's more likely that an employee was involved than anyone at Anonymous, and just used the DDoS attack as a smokescreen.

Re:Hire better people? (2, Informative)

Anonymous Coward | more than 3 years ago | (#36030934)

This sort of data simple should not have been available to anyone outside Sony's corporate headquarters and the only people with access to it there should have been developers.

This is false. Developers should not have access to production data, especially not highly-sensitive production data! Only system operators should remotely have access to this kind of data. I do not understand how Sony never got audited for this kind of thing. Normally, investors want some kind of insurance from an audit that stuff is at least partially secure. Most password change restrictions come from this kind of audit.

Re:Hire better people? (1)

sjames (1099) | more than 3 years ago | (#36032174)

What is considered an expense and what is profit has little to do with the value of various functions. The people who actually make a product are called an "expense", but ales and management are regarded as "profit". They argue that sales brings money in, so it's profit. Management attracts investment, so it's profit. Never mind that without a product there's nothing to sell and the investors will go away.

What really costs is having blinkered idiots for management, but for some reason management keeps overlooking that potential saving...

Re:Hire better people? (2)

starfishsystems (834319) | more than 3 years ago | (#36030628)

Could be. But it's also because the senior people (eg CIO, CSO) are often operating at a vague, sloppy level of abstraction.

Whether they're acting on their own initiative, or on the advice of technical management - who are themselves often more informed by marketing materials than knowledge of security principles - I'm not surprised to see money being spent on security products without much or any attention to security processes. It's been that way for a long time, though folks like Bruce Schneier will be the first to tell you that's putting the cart before the horse.

What does one of these wonderful "Data Loss Protection" systems actually do? Well, I don't know. It depends. I can tell you what they won't do, and that's do your thinking for you. That's right. Sorry about that. Guess I lost a sale there.

Here we have an industry publication explaining that there is "a whole category of security software designed to keep information from doing things it's not supposed to even inside the firewall." Let me get this straight, because this is the opening sentence of the article. Information does things? It's burning CPU cycles, waiting to break loose and cause havoc? Because I think we're off to a bad start here. I don't think there should be the slightest suggestion that information, which Claude Shannon elegantly defined for us over fifty years ago, does anything at all except exist. Even an algorithm only exists. Some machine ultimately has to do the work which the algorithm specifies, otherwise no work is done.

A more meaningful thing to say is there is data, and data may have structure. Also, there are consumers and producers of data, and they may have structure. In both cases such structure may be divisible above and below a given level of descriptive granularity. (This is an important property to keep in mind, because without it we have no means of analysis.) If we want to talk about a general data management model, that's about all we can say.

Supposing that we want to talk about something more specific, like providing access to some data to some consumers and not others, we have to impose some definitions on both. This is what the CIOs and CSOs actually want. And it's where most of the work lies. Implementation might be hard too, in its own way, in the sense of being laborious and dealing with a lot of inconvenient details of the real workd, but we can't even begin to assess that until we're clear about what we actually want to do. That's the bit that seems to have been forgotten.

The fact is, no product will do your thinking for you. Security is a process. Start by defining what you want to secure, and who are the players. If you haven't done that, there's no point in spending money on security systems.

Re:Hire better people? (1)

amicusNYCL (1538833) | more than 3 years ago | (#36030664)

Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....

Probably not, but at least you're not the only one who is wrong.

The end users are not quoted in this article. The security vendors are the ones who are quoted about the entire process being to complicated for companies to actually implement it.

DLP is the "most disappointing" portion of the security market primarily because of the amount of time it takes companies to identify the data they want to protect, create profiles and taxonomies to categorize it and put in place the software that will protect it, John Vecchi, head of global product marketing for security vendor Check Point told a Register reporter at the company's annual conference today. ...

That "boil the ocean" approach doesn't deliver much benefit until all the pieces are in place, which makes even companies enthusiastic about automating their data protection shy away from the work of actually doing it.

That's a problem for companies like his that develop the software, CheckPoint CEO Gil Schwed said in his keynote.

It sounds like you know better than all those drooling morons though, so there's your niche where you can make your millions.

Re:Hire better people? (1)

Darinbob (1142669) | more than 3 years ago | (#36030798)

But even reading the article it's not that it's "complicated" per se, it's that it's expensive. Companies do complicated stuff all the time. It's just that normally if they perceive something complicated as important they will devote resources to getting it done. Such as hiring experts who understand the complexity, replacing project managers who aren't making any traction, etc. Nothing in the article claims that there's a shortage of qualified or trainable people.

Re:Hire better people? (1)

24-bit Voxel (672674) | more than 3 years ago | (#36031416)

I wonder which employees find the process to be "to complicated" ...

I wonder which employees need to identify the data, create profiles and taxonomies, and put software into place...

Am I going too fast for you? Are we not making the connection here?

I never said I knew better than these drooling morons, but now I'm saying I know better than you.

Re:Hire better people? (1)

kangsterizer (1698322) | more than 3 years ago | (#36030726)

good specialized people cost a lot
as long as they dont have a breahc they dont wanna afford it (of course, affording ONE of these guys would be cheaper over 50 years than ONE single breach but hey!)

Alternative reading (1)

artor3 (1344997) | more than 3 years ago | (#36030816)

It takes thirty hours of training to use the product, and our IT guys are simply too busy putting out fires to get the training.

Re:Alternative reading (1)

swb (14022) | more than 3 years ago | (#36030926)

That's what I read into it.

And it's not a question of hiring "better" people -- sure, there are plenty of shops carrying a certain amount of dead weight, but I don't think that spending the same money for fewer, better people will necessarily be the solution.

I think you need a combination of more people and a way to improve your better people by providing access to more training.

Where I work, we're constantly bombarded with requests to obtain certifications or "get up to speed" on products yet no manager EVER makes a point to send someone to training to learn how to use a product correctly.

So we "figure it out on our own" -- usually we get it right, but I also see a ton of features that nobody has a strong enough grasp or enough time to learn on their own.

Re:Alternative reading (1)

Archangel Michael (180766) | more than 3 years ago | (#36031846)

This is a sign of HUGE problems. Even if you're not experiencing them yet. If your IT guys are running around putting out fires then there are not enough fire suppression systems in place.

The problem is, that the people with the purse strings aren't in the IT department, don't care about IT, unless it affects them directly. In which case, you let the fires burn.

Good IT takes money, skill and guts. Money to get the products that work, skill to implement it, and the guts to tell people to mind their own business and stay out of IT decisions unless they are in IT. Where else does the Marketing Department get to tell Accounting how to count ? Why do other departments get to tell IT how to do IT?

Re:Hire better people? (1)

jvillain (546827) | more than 3 years ago | (#36031784)

That and companies only want generalists. When the job add asks for some one that knows DOS, Window, Exchange, AD, IIS, MSSQL, Linux, Apache, Solaris, Oracle, VMS, IRIX, AIX,Mac, Cisco, Juniper, EMC, Netapp and can program in PHP, Java, C++, .NET and assembler you know the only skill the applicant really has is the ability to hit the speed dial button for the vendor. Pay now or pay later. It's the age old question, and I bet Sony is wishing they had picked the other option about now.

Re:Hire better people? (1)

poetmatt (793785) | more than 3 years ago | (#36031910)

yes, and/or equally like "we don't want to do what would be a best practice, we'd rather make good short term decisions than long term ones".

Re:Hire better people? (1)

Anonymous Coward | more than 3 years ago | (#36032076)

I'm developer who works on systems like the one that was cracked (except for small clients). None of our clients have the budget, but it's an interesting thought experiment to think about how an attack like this could have been prevented.

Encrypting data is easy, but there needs to be some way to decrypt the database so it's contents can be used. Trying to figure out a way to decrypt without also allowing a hacker to decrypt it is very difficult. This is why DVD encryption has never succeeded, despite all their efforts.

My answer in the end: you need to stop people from hacking into the database server in the first place. That's really the only viable solution for most businesses.

They should have used more reliable software and/or they should have had it locked down tighter. And they should have had staff watching around the clock, and hopefully notice the attack before the *whole freaking database* could be dropped.

Think of it this way: if you want to stop shoplifters, then a perfect solution is to build a 10 meter thick concrete wall, floor and ceiling around your shop. With no windows or doors. How do the employees and customers get in and out you ask? I don't know, that's the hard part. Preventing shoplifters is hard, but preventing someone from walking out with *everything on the shelves* can be done.

It's another security buzzword product (4, Insightful)

MrEricSir (398214) | more than 3 years ago | (#36030272)

These things come and go in the security market faster than you can believe. The problem isn't the lack of need, it's that the security software market is a "me too" market filled with companies cranking out software that has the latest buzzwords. In the security industry, everyone just copies everyone's fad else instead of innovating and trying to find a more elegant solution to the underlying problem.

But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant

Average IT person is too simple (2)

sdguero (1112795) | more than 3 years ago | (#36030302)

The quality of IT people I have worked with over the last 12 years has slowly degraded over time. We are at the point now where "sysadmins" have the skills that a helpdesk person had 10 years ago. I think there is just so much demand that you have to pay more than companies are willing to spend to get a quality sysadmin or network admin type of IT guy.

Re:Average IT person is too simple (1)

DigiShaman (671371) | more than 3 years ago | (#36030420)

That's half the problem. The other half is installing software and having it either break, or being too open ended of a solution. I'm speaking specifically of backup software and security (Backup Exec and McAfee come to mind). No, I'm not here to debug your shit. As an IT admin in a not-so-unreasonable world, my job is *supposed* to be about finding the right business solution and implementing it with technology to better serve said business. Yes, routine maintenance and checking backups is part of the role. But why should we be constantly subjected to shit products and solutions out there only to be blamed for when they don't work? Even after they're properly setup and configured. That other half is the vendors peddling their shit!

Re:Average IT person is too simple (0)

Anonymous Coward | more than 3 years ago | (#36030440)

Perhaps it is simply because the skills one needs to perform system administration tasks has become far easier than in years before.

I haven't researched or read anything in advance of any Microsoft released product. I know how an AD works from the MCSE I had 10+ years ago. I haven't bothered to renew for several reasons. My customers don't require it and my job tasks don't require it.

I'm not defending lower quality staff but many tasks have become easier. I have not run into anything where I needed a certified individual. There's plenty of help on the web, plenty of documentation and if things go to shit too far, Microsoft support can help out with their undocumented fixes.

I will say that we recommend putting into place some security measures to our clients. They refuse on the basis of cost or inconvenience. That's it.

Our customers could blame us that it is "too complicated" but it is simply because it is for the user. Encrypted email isn't difficult but it is complicated when you have to do something more than clicking "send".

Re:Average IT person is too simple (2)

sdguero (1112795) | more than 3 years ago | (#36030500)

"I'm not defending lower quality staff but many tasks have become easier"

I think thats a big part of the problem. The initial barriers to get an IT job are lower than they used to be because things are easier. But now we have all these people that have no idea whats going on under the hood.

Re:Average IT person is too simple (1)

Dhalka226 (559740) | more than 3 years ago | (#36031510)

That's not a problem.

The problem is when people don't realize (or don't care) that entry level IT is often going to get you entry-level capability. A little server that does nothing but NAT, you can probably hire that teenager one of your co-workers knows and be fine. Low-level help desk stuff, no problem. Simplistic networking, sure. But if you're, say, Sony with tens of millions of users and tens of millions of credit cards stored on your system, you had damn well better find people much more qualified to the particular tasks you need accomplished.

In other words, there's no issue with the barriers to entry for IT; there's an issue with people being unable to comprehend or unwilling to pay for the appropriate people for a job.

Re:Average IT person is too simple (1)

theshowmecanuck (703852) | more than 3 years ago | (#36030464)

Here is a theory: Economic times get tough. The best and most experienced (longest time in) IT people you have are paid the most. The suits decide that they need to trim the bottom line since business is down. They get rid of all those high priced IT guys and keep the low priced guys. Surprise IT is more complicated than the suits think and even though they are bright and well intentioned, the less experienced guys end up having to reinvent the wheel all the time since the bosses got rid of the wheel makers. Things ain't what they used to be...

Re:Average IT person is too simple (1)

jtownatpunk.net (245670) | more than 3 years ago | (#36030624)

It's not just IT. I've watched my company gut every department except legal and accounting over the last few years. When I started here, a significant number of employees had been here for 10 years or more. At least a third of the staff. Some over 20 years. I was genuinely shocked to see that in this day and age. Not any more. I'm now considered an old-timer because I've been here longer than at least 80% of the employees.

Re:Average IT person is too simple (2)

jtownatpunk.net (245670) | more than 3 years ago | (#36030486)

And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.

Re:Average IT person is too simple (3, Insightful)

arth1 (260657) | more than 3 years ago | (#36030702)

And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.

Imagine? Hardly. More like Purchase design, Outsource development, Purchase damage control.

Also, there is a shift away from understanding to knowing, and in this industry, knowledge is worthless. There's a man page for that. Understanding what really happens and why is what you need. Someone who knows why SElinux won't allow you to do something, and not just how to (far too common) turn off SElinux or (taking slightly more skills but no more brains) create rules to allow every complaint SElinux has.

There's also a management belief that security is a product you can implement after the fact. That's as futile as buying a kevlar vest to protect yourself from heart attack. To turn existing insecure infrastructure secure takes months or years of hard and continuous work - sometimes more than redesigning from scratch would do.

Consumer Protection (0)

Anonymous Coward | more than 3 years ago | (#36030342)

I can't just say SOX compliance is too complicated and not adhere to it. Isn't there a consumer privacy or protection law being violated?

Clippy (2)

feedayeen (1322473) | more than 3 years ago | (#36030348)

Hello, I see that you are trying to encrypt and backup your customer data....

Too "complicated"?? (0)

mailinator2 (2111096) | more than 3 years ago | (#36030442)

lol... i remember when a friend called me telling me avira-or-whats-its-called for windows was taking 11hours already to check his 500GB harddrive...

the next day he called me telling me avira-or-whats-its-called for windows had just finished checking his 500GB harddrive... it found nothing but his system was still broken...

i told him to give up repairing windows and just reinstall it... hours later he called me again and asked me if i would download avira-or-whats-its-called for windows for him so he can reinstall it..

i'd just hang up because such people make me sad for some reason... and i turned to my linux system and did some serious work... you know... that lame operating system luckily nobody cares about...

the end

Re:Too "complicated"?? (1)

mailinator2 (2111096) | more than 3 years ago | (#36030482)

my email is bklibvhugzu@bobmail.info btw... slashdot is such a failure these days... i create content here out of pity... :D

Re:Too "complicated"?? (0)

scdeimos (632778) | more than 3 years ago | (#36030582)

I hate to break it to you, but linux isn't the solution to everything.

I use linux (I'm forced to use Windows at work), but when the IDS detected an attempted breach at my previous company a few years ago the source wasn't a Windows machine - it was an employee's linux machine at home that had its security config was royally screwed^H^H^H^H^H^H^H open and unfortunately had VPN access to the corporate network.

Re:Too "complicated"?? (1)

DarwinSurvivor (1752106) | more than 3 years ago | (#36031108)

And how would a Windows or Apple (or anything else for that matter) computer have been any better in that situation?

Re:Too "complicated"?? (2)

smash (1351) | more than 3 years ago | (#36031210)

that wasn't the point. the point is the gp was acting all smug like running linux instantly makes him more secure/suprior.

In the past decade i've dealt with many hacked machines, and they haven't all been windows. An idiotic enough user will result in any system being compromised. Which was the GP's point.

Re:Too "complicated"?? (0)

Anonymous Coward | more than 3 years ago | (#36031124)

agree, and want to make up. Linux, Windows, different, we need to make use of the two, not always trying to kill one.

Mature market? (1)

ToasterMonkey (467067) | more than 3 years ago | (#36030450)

"can take two years to fully implement, he said."

"It's a mature market - please turn it on." John Vecchi

Well if it's mature already, maybe it just sucks?
Two years to implement a system that is 100% overhead, no services rendered! Fuck, that, shit. You're doing it wrong.

When will it catch on with software publishers & independent developers, that no matter how narrow your niche, there are very few excuses for utterly ignoring ease of use.

Free? : No.
Expensive? : No.
Really Expensive! : What are you smoking?
It's just hard work? : DUH, that's why you set out to make a tool for it right, it doesn't have to be a GD requirement.

Re:Mature market? (2)

Darinbob (1142669) | more than 3 years ago | (#36030824)

I have never seen enterprise software that is easy to use. Almost all of it requires consultants of professional services to get it set up. That's because every corporation is unique with unique requirements and the software requires customization and integration.

Re:Mature market? (1)

lgw (121541) | more than 3 years ago | (#36031172)

That process of customization and integration? Yeah, that's what software is supposed to make easy for you. But it costs a software vedore money to provide usability, and they make money on professional services, so as long as the customers keep bending over for it, nothing will change.

Re:Mature market? (0)

Anonymous Coward | more than 3 years ago | (#36030862)

You might want to go back and read the article again. Your first quote was referring to DLP, which can indeed take two years to implement. The second quote was regarding IDS/IPS, which is very much a mature market.

There is one glaring reason that DLP is such a pain in the ass to use and that people leave their IPS devices in monitor mode: the environment they're deployed in is unmanageable. Organizations often have no IT security policy, or if they do, it is not enforced (or is written is such a way as to be unenforceable). Then they hire Skippy the A+ Certified d00d to run their security, give him no budget, no staff, and no authority and wonder why some script kiddie from Russia made off with 30 million credit card numbers.

There is no Easy Button for IT security.

Re:Mature market? (0)

Anonymous Coward | more than 3 years ago | (#36031436)

"It's a mature market – please turn it on," Vecchi told TheReg.

Fooey.

Blah (0)

Anonymous Coward | more than 3 years ago | (#36030470)

blah! so then what is the need and we did because it must.

To complicated since its your personal data (1)

magictongue (603212) | more than 3 years ago | (#36030546)

Ever wonder why crackers only get consumer data and not highly embarrassing confidential data strategic to companies. Like to see the what the top brass really gets payed including entertainment, where does that corporate jet really go, and what is the companies 5 year plan. Notice how its only your data - your credit card information - that is cracked but not the CEO's bank account information or their personal information. Guess companies can figure it out when it really matters.

Re:To complicated since its your personal data (1)

tqk (413719) | more than 3 years ago | (#36030792)

Ever wonder why crackers only get consumer data and not highly embarrassing confidential data strategic to companies.

Air gap between between executive offices' LAN and the Production network. The former is easier to secure being much smaller, and less likely to be doing much beyond MS Office stuff, unlike Prod. where damned near everything has to communicate with everything else, and is connected to the net.

Can't protect broken systems (4, Insightful)

scdeimos (632778) | more than 3 years ago | (#36030610)

You can't just pile software on top of a broken system/design and magically have everything secure.

What surprises me in all this is that the banks are *not* jumping all over these companies for exposing consumer credit card information - whatever happened to PCI Compliance?

Re:Can't protect broken systems (1)

ToasterMonkey (467067) | more than 3 years ago | (#36031094)

whatever happened to PCI Compliance

"Will you be compromised in the next twelve months?" is not part of a PCI audit.

Besides, PCI-DSS is 99.9% common sense - codified. It's not a magic barrier.

Re:Can't protect broken systems (1)

Anonymous Coward | more than 3 years ago | (#36031568)

Also, when you get down to it PCI is a junk regulation with backwards rules, impossible requirements (100% compliance 100% of the time required to get benefits from it - think about that in the context of six nines not being good enough to comply...) and an enforcement set up that is insanely corrupt (company that does 80% of the assessments has former executives on the standards council and is hired by the banks to enforce the regulation...)

TLDR: PCI is a crap regulation designed to keep the suits in congress from regulating the credit card industry, not designed for keeping anything secure other than fat corporate wallets.

Re:Can't protect broken systems (2)

hibiki_r (649814) | more than 3 years ago | (#36031900)

Split control/dual knowledge is pretty decent protection,,, if it's actually implemented properly, that is. If PCI has a problem, is that, with the right auditor, you can bypass this by adding compensating controls that really don't compensate for anything.

If your own people can't get the encryption key, and your decryption services flash in pretty colors when unexpected levels of usage happen, PCI is better than a kick in the teeth.

Re:Can't protect broken systems (0)

Anonymous Coward | more than 3 years ago | (#36031322)

This is a perfect example of how well industry self-policing works.

idiots (0)

Anonymous Coward | more than 3 years ago | (#36030704)

fucking idiots. And the worst part is they reproduce.

Re:idiots (3, Funny)

Noodlenoggin (1295699) | more than 3 years ago | (#36030908)

fucking idiots. And the worst part is they reproduce.

I know what you mean. Then they eventually browse their way to /. and make comments as an AC.

Bullshit Excuse (0)

Anonymous Coward | more than 3 years ago | (#36030794)

DLP is the "most disappointing" portion of the security market primarily because of the amount of time it takes companies to identify the data they want to protect, create profiles and taxonomies to categorize it and put in place the software that will protect it, John Vecchi, head of global product marketing for security vendor Check Point told a Register reporter at the company's annual conference today. Impressively sophisticated applications that can differentiate top-secret plans for next year's product from ho-hum plans for one from five years ago – and apply security policies that don't allow secrets to be copied or carried out of a secure networks, for example – can take two years to fully implement, he said.

Sorry but DLP didn't have to be universally deployed throughout Sony for it to be effective in protecting a couple of customer databases and their various associated processes and dataflows. I've done it more times I can count, it's not that difficult for a company with the resources Sony has. Given the fact Sony doesn't even have a process for ensuring updates are applied properly across various inter-dependant components I doubt they even investigated using DLP let alone decided it was just "too complicated".

Contrary to the headline, it's "vendor", singular (4, Informative)

joeflies (529536) | more than 3 years ago | (#36030802)

The article is about a quote from a marketing mouth from a single vendor, Check Point, who made a sound bite about how hard DLP is to use. And, just by coincidence, they're announcing a security product that is easy to use!

Re:Contrary to the headline, it's "vendor", singul (5, Funny)

Toam (1134401) | more than 3 years ago | (#36030910)

It's weird that this article shows up - I've got the "Ads Disabled" option checked...

in other news (1)

smash (1351) | more than 3 years ago | (#36031174)

... my job is hard, i don't want to do it. but pay me any way. cheers.

Maybe its because...it doesn't exist (0)

Anonymous Coward | more than 3 years ago | (#36032022)

There is no such thing as software that prevents data theft. Once you accept that, you can finally get down to doing real security.

There are still stupid site operators.... (1)

QuietLagoon (813062) | more than 3 years ago | (#36032082)

... for example a major site, dslreports.com, recently had an intrusion. Its customers' info was stolen [dslreports.com] , yet the admins of the site try to pass off the intrusion as something that just happens. Never mind that the admins have chosen (and still seem to not realize the problems with) two-way password 'encryption'..

Until site operators decide to properly secure the back-end data on their sites, no amount of front-end security will stop the insecurity designed into their sites.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>